The sandbox component of Adobe Acrobat Reader has a flaw, which has been present since the 11.0.8 version and is not fixed in the latest version.
The flaw makes the product vulnerable to NTFS junction attacks, when dealing with the MoveFileEx call hook. Theoretically speaking, this presents the potential attacker with the chance to break out of the sandbox and create arbitrary files in the filesystem, using the permissions the current user has.
Google’s security researcher James Forshaw found the flaw in August and supported his discovery with a proof-of-concept in order to demonstrate it. He reported the vulnerability in a discrete manner, before he made it publicly available, which gave Adobe 90 days to issue a patch.
Here is what the researcher wrote:
→“While the function resolves the location of the source and destination and ensures they are within the policy there is a timing race once the function calls into the MoveFileEx function in the broker. This race can be won by the sandboxed process by using an OPLOCK to wait for the point where the MoveFileEx function opens the original file for the move. This allows code in the sandbox to write an arbitrary file to the file system.”
The application has been updated to build 11.0.9, but the researcher is concerned that the issue persists in this version too. Either way, it seems like the company has taken some precautions to make sure that the users do not run any risk.
James Forshaw says that the changes made in the newest version of the Adobe Reader make the flaw “difficult if not impossible to exploit.”
What is important is that currently, the option to make directory junctions in order to use sandboxed code to create an arbitrary file in the system no longer exists.
